In spite of a plethora of security products, your security teams are still behind the eight ball when it comes to quickly identifying the alerts that matter from the ones that don’t. Multiple products that function in silos also means valuable time is sucked up pivoting between these different systems to capture, collect and correlate application, website and enterprise systems data.
The Demisto and Elasticsearch integration equips your teams with rich, correlated application and log data that can be leveraged during incident investigations or by playbooks for automated data enrichment and incident response.
- Query Elasticsearch data to investigate or enrich incidents in Demisto and trigger automated triage and response.
- Leverage hundreds of Demisto third-party product integrations to further enrich incident data for investigations or to coordinate response across security functions.
- Run 100s of commands (including for Elasticsearch) interactively via a ChatOps interface while collaborating with other analysts and Demisto’s chatbot.
USE CASE #1
Automated Data Enrichment and Incident Response
If your SOC uses different solutions for data enrichment and incident response, it can be tough to track the lifecycle of an incident due to fragmented information distributed across multiple locations. As a result, your analysts spend time chasing data and completing these low-level tasks.
Elasticsearch alerts can trigger Demisto playbooks that orchestrate response actions across the entire stack of products that your SOC uses in one single workflow. For example, your analysts can create tickets, enrich incident data, identify malicious indicators, calculate incident severity, quarantine endpoints and send notification emails as tasks within a playbook.
What’s unique about this integration is that Demisto’s classification mapping lets you easily segment Elasticsearch alerts so that separate incident types can be created to run different playbooks that map to your existing incident response processes.
Automation of repetitive, manual tasks streamline incident lifecycle processes helps your team speed up incident triage and resolution. Here’s an example: As Elasticsearch alerts trigger playbooks, your team can also set these playbooks up to fetch additional incident data from endpoint products and threat intelligence sources to determine if the alert might be a false positive or a duplicate that can be auto-closed.
To learn more about our integration with Elasticsearch, you can read our solution brief here:
USE CASE #2
Interactive Real-time Investigation for Complex Threats
While automated playbooks can ease your analyst’s workload, an attack investigation usually requires him/her to perform additional tasks such as pivoting from one suspicious indicator to another to gather critical evidence, draw relations between incidents, and finalize resolution.
After running playbooks, your analysts can then gain greater visibility and new actionable information about the attack by running Elasticsearch commands in the Demisto war room. They can query and view data in real-time for search, logging, security, and analytics use cases via the work plan and war room windows. They can also run commands from other security tools in real-time, ensuring a single-console view for end-to-end investigation. The war room auto-documents all analyst actions and suggests the most effective analysts and command-sets over time.
All participating analysts will have full task-level visibility into the process and be able to run and document commands from the same window. Auto-documentation of all automation and analyst actions enables you to bypass the manual collation of data for reports and our reports can also be customized to suit the specific needs of your audience.
We hope you found this integration overview useful. To explore Demisto in greater detail, you can download our free community edition below.